More on data formats

Dirkjan Ochtman dirkjan at ochtman.nl
Wed Nov 20 01:44:09 PST 2013


On Wed, Nov 20, 2013 at 10:41 AM, Lloyd Hilaiel <lloyd at hilaiel.com> wrote:
> 1. That an assertion lacks `iat` makes robust date range checking difficult.
> Specifically, it's hard to verify that you don't have an assertion with a
> future issue time.  shall we add `iat` to assertion format?

That sounds sensible to me.

> [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17 -
> section 4.2 and 4.3 are pretty wild west about private extension naming.
> but the suggestion seems to be to add properties as you extend.

You have the wrong URL here, I think you mean
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13.

Also, Lloyed noted that that spec (JWT) currently states that 'the
"sub" value is a case-sensitive string containing a StringOrURI
value', i.e., our JSON object usage is forbidden per current spec.

Cheers,

Dirkjan



More information about the Dev-fxacct mailing list